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TECHNICAL FIELD 

The systems and methods described herein generally relate to counterfeit- 
resistant and/or tamper-resistant labels, and more particularly, to utilizing 
randomly distributed features of an object (whether embedded or naturally 
inherent) to limit unauthorized attempts in counterfeiting and/or tampering with 
the label. 

BACKGROUND OF THE INVENTION 

Counterfeiting and tampering of labels cost product marketers and 
manufacturers billions of dollars each year in lost income and lost customers. 
With the proliferation of computer technology, generating labels that resemble the 
genuine item has become easier. For example, a scanner may be utilized to scan a 
high-resolution image of a genuine label which can then be reproduced repeatedly 
at a minimum cost. Also, coupons may be scanned, modified (e.g., to have a 
higher value), repeatedly printed, and redeemed. 

Various technologies have been utilized to stop the flood of counterfeiting 
and tampering in the recent years. One way labels have been secured is by 
incorporation of bar codes. Bar codes are generally machine-readable code that is 
printed on a label. Using a bar code scanner, the label with a bar code may be 
quickly read and authenticated. One problem with current bar coded labels is that 
an identical label may be used on various items. 

Another current solution is to have the scanned bar code examined against 
secure data stored in a database (e.g., a point of sale (POS) system). This solution, 
however, requires incorporation of up-to-date data from a marketer or 
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manufacturer. Such a solution requires timely and close cooperation of multiple 
entities. Also, such a solution limits its implementation flexibility and may not 
always be feasible. 

These technologies, however, share a common disadvantage; namely, the 
labels scanned are physically identical for a given product. Accordingly, even 
though the manufacturing process for creating the legitimate labels may be highly 
sophisticated, it generally does not take a counterfeiter much time to determine a 
way to create fake pass-offs. And, once a label is successfully copied a single 
time, it may be repeatedly reproduced (e.g., by building a master copy that is 
replicated at low cost). Even if a label is black-listed in a database after a given 
number of uses, there is no guarantee that the labels that are scanned first are 
actually the genuine labels. 

Accordingly, the current solutions fail to provide labels that are relatively 
hard to copy and inexpensive to produce. 

SUMMARY OF THE INVENTION 

The systems and methods described herein are directed at encoding 
randomly distributed features in an object. In one aspect, randomly distributed 
features in an authentication object are determined. Data representing the 
randomly distributed features is compressed and encoded with a signature. A 
label is created and includes the authentication object and the encoded data. 

In another aspect, the data is compressed by determining a probability 
density function associated with the authentication object. Vectors associated with 
the randomly distributed attributes are determined based, at least in part, on the 
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probability density function. The vectors are encoded using an arithmetic coding 
algorithm. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows an example authentication object for use as part of a label, 
such as a certificate of authenticity. 

Fig. 2 is a schematic diagram illustrating an example certificate of 
authenticity system and example procedures employed by the system for issuing 
and verifying a certificate of authenticity. 

Fig. 3A is a schematic diagram of an example scanning system for 
capturing randomly distributed features of an authentication object associated with 
a certificate of authenticity. 

Fig. 3B is a top view of the authentication object shown in Fig. 3A. 

Fig. 4 is a flow diagram of an example process that may be used to create a 
certificate of authenticity. 

Fig. 5 is a flow diagram of an example process that may be used to 
compress data that represents the randomly distributed attributes of an 
authentication object. 

Figure 6 is a graphical representation of areas that correspond to four 
different regions in an example authentication object. 

Figure 7 is a graphical representation of the nineteen different regions on an 
example authentication object. 

Fig. 8 is a graph of an example of the probability density function for a 
square authentication object. 

Figure 9 is a graphical representation of areas in an authentication object. 
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Fig. 10 is a graphical representation of an example of how an arithmetic 
coder encodes the string "aba". 

Figure 1 1 is an example of an instance of an authentication object shown 
with nodes. 

Figure 12 is a graphical representation of a certificate of authenticity 
designed for optimizing cost effectiveness. 

Fig. 13 illustrates an example computing device which the described 
systems and methods can be either fully or partially implemented. 

DETAILED DESCRIPTION 
I. Introduction 

The systems and methods described herein are directed at encoding 
information about the randomly distributed features of an object used in a label. 
Labels may include any type of identification means that are attached to or 
incorporated within an item. A label that is configured to be authenticated is 
referred herein as a certificate of authenticity. An object with randomly 
distributed features used in a certificate of authenticity is referred to herein as an 
authentication object. To enable self-authentication, a certificate of authenticity 
may include both the authentication object and the information about the randomly 
distributed features. A compression method may be used to increase the amount 
of information about the randomly distributed features that can be encoded and 
included in the certificate of authenticity. According to one example calculation, 
the cost of forging a certificate of authenticity is exponentially increased 
proportional to the improvement in compressing the information. This substantial 
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increase in forging cost results in a reliable certificate of authenticity that is 
relative cheap to manufacture but is difficult to falsify. 

Fig. 1 shows an example authentication object 100 for use as part of a label, 
such as a certificate of authenticity. To be effectively used in a certificate of 
authenticity, authentication object 100 typically contains randomly distributed 
features that are unique and are hard to replicate. The example authentication 
object 100 shown in Fig. 1 is part of a fiber-based certificate of authenticity and 
contains fibers 110 that are embedded in the object in a random manner. Fibers 
1 10 serve as the randomly distributed features of authentication object 100. Fibers 
110 may be incorporated in authentication object 100 by any means. For example, 
fibers 100 may be sprayed onto authentication object 100. Fibers 100 may also be 
embedded into authentication object 100 during the manufacturing process. In one 
embodiment, fibers 110 are optical fibers capable of transmitting light between 
their endpoints. Thus, by shedding light on a certain region 120 of authentication 
object 100, endpoints of fibers 131-133 that have at least one end-point within the 
lit up region are illuminated. 

In Fig. 1, authentication object 100 includes k randomly distributed fibers. 
Authentication object 100 may be scanned at a resolution of L x L pixels. Each 
fiber has a fixed length of R. Although the example authentication object 100 in 
Fig. 1 contains fibers, it is to be understood that authentication objects with other 
randomly distributed features may also be used in a certificate of authenticity in a 
similar manner. 

The randomly distributed features of authentication object 100 may be 
used in a certificate of authenticity to protect the proof of authenticity of an 
arbitrary object, such as a product. For example, certain hard-to-replicate data 
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about the randomly distributed features of the certificate of authenticity may be 
digitized, signed with the private key of the issuer, and the signature may be 
imprinted on the certificate of authenticity in a machine-readable form to validate 
that the produced instance is authentic. Each instance of the certificate of 
authenticity is associated with an object whose authenticity the issuer wants to 
vouch. In one embodiment, verification of authenticity is done by extracting the 
signed data (data about the randomly distributed features) using the public key of 
the issuer and verifying that the extracted data matches the data of the associated 
instance of the certificate of authenticity. In order to counterfeit protected objects, 
the adversary needs to either: (i) figure out the private key of the issuer, (ii) devise 
a manufacturing process that can exactly replicate an already signed instance of 
the certificate of authenticity, or (iii) misappropriate signed instances of the 
certificate of authenticity. From that perspective, the certificate of authenticity can 
be used to protect products whose value roughly does not exceed the cost of 
forging a single certificate of authenticity instance, including the accumulated 
development of a successful adversarial manufacturing process. 

A goal of a certificate of authenticity system is to ensure the authenticity of 
products or certain information associated with a product. The set of applications 
is numerous and broad, ranging from software and media (e.g., DVD, CD) anti- 
piracy to unforgeable coupons and design of tamper-proof hardware. For 
example, creating a tamper-resistant chip would require coating its package with a 
certificate of authenticity. Before each usage, the integrity of the certificate of 
authenticity should be verified in order to verify authenticity of the protected 
silicon. 
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Below, example hardware platforms for inexpensive but efficient read-out 
of the randomly distributed features of a fiber-based certificate of authenticity will 
be discussed. The hardware platforms may include a barcode. Since the capacity 
of a barcode for low-cost readers is limited to about 3K bits, the message signed 
by the private key is limited to the same length. Also, since one of the goals of a 
certificate of authenticity system is to maximize the effort of the adversary who 
aims at forging a specific instance of the certificate of authenticity, the problem 
associated with storing in the fixed-length signed message as much as possible 
information about the unique and randomly distributed features of a fiber-based 
certificate of authenticity will be discussed. An example analytical model for a 
fiber-based certificate of authenticity will be provided. Then, the discussion 
below will also formalize the problem of compression of a point set, and show that 
optimal compression of fibers' positions in an instance of a certificate of 
authenticity is an NP-complete problem. In order to heuristically address this 
problem, an algorithm which significantly improves upon compression ratios of 
conventional compression methodologies will be provided. 

II. Issuing and Verifying Certificate of Authenticity 

Fig. 2 is a schematic diagram illustrating an example certificate of 
authenticity system 200 and example procedures employed by the system for 
issuing and verifying a certificate of authenticity. Certificate of authenticity 
system 200 includes certificate of authenticity 210, an issuer 230, and a verifier 
250. As shown in Fig. 2, certificate of authenticity 210 may include the 
authentication object 100 in Fig. 1, a barcode 213, and text 215. 
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The information that needs to be protected on a certificate of authenticity 
includes: (a) the representation of the hard-to-replicate randomly distributed 
features of authentication object 100 and (b) an arbitrary associated textual data. 
Initially, the randomly distributed features of authentication object 100, such as 
locations of fibers, are scanned using a hardware device. Details on how this 
information is collected and represented will be discussed below in conjunction 
with Fig. 3. 

For the purpose of discussion, assume that the resulting information / is a 
random string of n F bits. Parameter n F is fixed and equals n F = k*n RSA ,keN , 
where n RSA is the length of an RSA public-key (for example, = 1024 ) and k is 
commonly set to k e [1,3] . Given a fixed n F , the digest / of data 23 1 representing 
the randomly distributed features of authentication object 100 may statistically 
maximize the distance between any two distinct certificate of authenticity 
instances. This goal translates directly to minimized likelihood of a false negative 
and false positive during the verification step. 

The textual data t is an arbitrary string of characters which depends on the 
application (e.g., expiration date, manufacturer's warranty). The textual data is 
derived from text 215, which is printed on certificate of authenticity 210 as shown 
in Fig. 2. 

The textual data may be hashed using a cryptographically secure hash 
algorithm 237, such as SHA1. The output of the hash function is denoted as a 
message t with n T bits. Issuer 230 creates the message m that may be signed by 
RSA. For example, messages / and t are merged into a message m of length 
n M = n F using a reversible operator ® that ensures that each bit of m is dependent 
upon all bits from both / and t . This step may maximize the number of bits that 
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need to be manipulated in data 231 as well as text 215 to create a certain message 
m . An example of such an operator is symmetric encryption m = t® f 's £,(/) °f 
/ using / or certain subset of bits from / as a key. Message m is signed with an 
RSA signature 235 using the private-key 233 of the issuer 230. Each n m bits of 
m are signed separately. The resulting signature s has n s =n M = n F bits. This 
message is encoded and printed as barcode 213 (such as barcodes that obey the 
PDF417 standard) onto certificate of authenticity 210. 

The verification of certificate of authenticity 210 involves several steps. 
Verifier 250 initially scans the printed components: text 215 and barcode 213. 
Barcode 213 is decoded into the originally printed signature s. Text 215 is 
scanned and is hashed in order to create the message t . Note that generic optical 
character recognition (OCR) is not required for this task because the font used to 
print the text is known to the verifier 250 and optimized for improved OCR. For 
successful certificate of authenticity verification, text 215 and barcode 213 need to 
be read without errors; a task which is readily achievable with modern scanning 
technologies. 

Verifier 250 performs the RSA signature verification 255 on s using 
issuer's public-key 253 and obtains the signed message m . Verifier 250 can then 
compute / = m(®)~U . In the example of using encryption as ® , this is achieved 
via decryption / = E~\m). Next, verifier 250 scans data 251 of representing the 
randomly distributed features in authentication object 251 and creates their 
presentation /' . Verifier 250 compares /' to the extracted / . Verifier 250 needs 
to quantify the correlation between the two sets of data: the one attached to the 
certificate and the one used to create the signature on the certificate of 
authenticity. At decision block 259, if the level of similarity of the two sets of 
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data surpasses a certain threshold, verifier 250 announces that the certificate of 
authenticity 210 is authentic and vice versa. 

Fig. 3A is a schematic diagram of an example scanning system 300 for 
capturing randomly distributed features of authentication object 310 associated 
with a certificate of authenticity. Scanning system 300 includes optical sensor 
322 and light source 324. Optical sensor 322 is configured to scan authentication 
object 310 and may include a charged coupled device (CCD) matrix of a particular 
resolution. In one embodiment, optical sensor 322 has a resolution of 128 x 128 
pixels. Light source 324 is configured to provide light of a particular wavelength 
to illuminate a region of authentication object 310. Light source 324 may include, 
for example, a light emitting diode (LED). As shown in Fig. 3A, one end of fiber 
326 in authentication object 310 is illuminated by light source 324. The light is 
transmitted to the other end of fiber 326 and is sensed by optical sensor 322. 

Fig. 3B is a top view of the authentication object 310 in Fig. 3A. In 
operation, the scanning system 300 divides authentication object 310 into regions, 
such as regions 311-314. As shown in Fig. 3B, light source 324 of scanning 
system 300 sheds light onto region 314 while regions 311-313 are isolated from 
light source 324. By illuminating region 314, the location of the endpoints in 
regions 311-313 of authentication object 310 can be determined by optical sensor 
322. Thus, the read-out of the randomly distributed features in authentication 
object 310 includes four digital images that contain four different point-sets. Each 
point-set is associated with a particular region and is determined by illuminating 
that region. 

It is conceivable that advancement in technology, such as nanotechnology, 
may enable an electronic device to decode the randomly distributed features from 
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a certificate of authenticity and create a light pattern that corresponds to these 
features. Such a device may be able to forge the certificate of authenticity. In one 
embodiment, scanning system 300 may be configured to prevent this method of 
forging by changing the wavelength (e.g. color) of the light used by light source 
324. For example, the wavelength of the light may be randomly selected each 
time an authentication object is scanned by scanning system 300. Optical sensor 
322 may be configured to detect the wavelength of the light emitted by the fibers 
in the authentication object and to determine whether that wavelength corresponds 
to the wavelength of the light emitted by light source 324. If the wavelengths of 
the emitted and detected light do not match, the certificate of authenticity is likely 
a forgery. 

Fig. 4 is a flow diagram of an example process 400 that may be used to 
create a certificate of authenticity. At block 405, the authentication object in a 
certificate of authenticity is scanned. The authentication object may be scanned 
using scanning system 300 in Fig. 3 A. 

At block 410, data representing the randomly distributed attributes of the 
authentication object is determined. In a fiber-based authentication object, the 
data may include the positions of the endpoints of fibers that are illuminated, such 
as the endpoints shown in Fig. 3B. 

At block 415, the data is compressing to enhance the security level of the 
certificate of authenticity. Data compression will be discussed in detail in 
conjunction with Fig. 5. Briefly stated, a path may be determined for compressing 
a portion of the data representing randomly distributed attributes in the 
authentication object. 
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At block 420, the compressed data is encoded. For example, the 
compressed data may be signed using private-key 233 in Fig. 2. At block 425, the 
encoded data is incorporated in the certificate of authenticity. For example, the 
encoded data may be printed onto the certificate of authenticity as a barcode, such 
as barcode 213 in Fig. 2. 

Fig. 5 is a flow diagram of an example process 500 that may be used to 
compress data that represents the randomly distributed attributes of an 
authentication object. For the purpose of discussion, process 500 will be described 
in the context of a fiber-based certificate of authenticity. However, process 500 
may be applied to any type of certificate of authenticity. 

At block 505, a probability density function associated with the 
authentication object is determined. Probability density function will be discussed 
in Section III-A. An example probability density function is shown in Equation 
11. A graphical presentation of the example probability density function is 
illustrated in Fig. 8. Briefly stated, the probability density function represents the 
likelihood that a unit of the randomly distributed attributes is found in a certain 
location of the authentication object. In the context of a fiber-based certificate of 
authenticity, the probability density function may represent the probability that a 
particular point in a region of the authentication object is illuminated. The 
probability density function may also be used to compute how many of the total 
fibers will be illuminated in a particular region. 

At block 510, vectors associated with the randomly distributed attributes 
are determined. In the context of a fiber-based certificate of authenticity, point-to- 
point vectors are used and will be discussed in Section IV-A. In particular, 
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Equation 16 may be used to compute point-to-point vectors to represent the 
randomly distributed attributes in a fiber-based certificate of authenticity. 

At block 515, the vectors are encoded using an arithmetic coding algorithm. 
Arithmetic coding algorithm will be discussed in Section IV-A. An example 
algorithm is shown in Table 2. 

At block 520, a path for compressing a portion of the vectors within a fixed 
amount of data is determined. The method for computing the path is discussed in 
Section IV-B. The example path may be computed using Equation 20. At block 
525, the path of the compressed data representing a portion of the randomly 
distributed attributes is returned. 

III. Certificate of Authenticity Model 

In this section, an analytical model of a fiber-based certificate of 
authenticity is discussed. Two features of a certificate of authenticity S are 
modeled. Given that a particular region S i of the certificate of authenticity is 
illuminated, the probability density function that a particular point in S-S, is 
illuminated is computed. Also, given that K fibers are in S , the expected number 
of fibers that are illuminated in S - S i is also computed. 

A. Distribution of Illuminated Fiber End-Points 

An authentication object (L,R,K) is modeled as a square with an edge of L 
units and K fibers of fixed length R < L/2 randomly thrown over the object. Other 
model variants, such as variable fiber length or arbitrary shape authentication 
object, can be derived from this model. The authentication object is positioned in 
the positive quadrant of a 2D Cartesian coordinate system as illustrated in Fig. 1. 
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In addition, the authentication object is divided into four equal squares 
S = {S x ,S 29 S 3t S A } . Each of them is used to record the 3D fiber structure as 
described above in conjunction with Fig. 3 A and 3B. Next, a fiber is denoted as a 
tuple f = {A,B} of points A y BczS such that the distance between them is 
\\A-B\\=R. 

Definition 1. Distribution of Illuminated Fiber End-Points. Given that 
one of the squares S, is illuminated, the probability density function (pdf) 
<P(i,Q(x>y)) is defined for any point Q(x,y)czS-S i via the probability that 
any area PczS-S i contains an illuminated end-point A of a fiber / = {A,B}, 
conditioned on the fact that the other end-point B is located in the illuminated 
region S, . More formally, for any PczS-S^. 



Assume that throwing a fiber f = {A,B} into an authentication object 
consists of two dependent events: (/) first end-point A lands on the authentication 
object and (z'z) second end-point B hits the authentication object. While A can 
land anywhere on the COA, the position of B is dependent upon the location of 
A . Endpoint B must land on part of the perimeter of the circle centered around A , 
with a radius R , and contained within the authentication object. In the remainder 
of this subsection, the function <p(i,Q(x,y)) is analytically computed based on the 



£(/,/>) = Pr[^ c P | / = {A,B} c S,B c SJ (6) 




Q(x,y)<zP 
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analysis of the events (Hi). For brevity, only <p(\ y Q(x,y)) is computed for the case 
when region 5, is lit up. cp(\,Q(x,y)) are computed in two steps. 

Definition 2. Perimeter Containment. First, for a given point A c S , the 
perimeter containment function g(A) is defined, which measures the length of the 
part of the perimeter (arc) of the circle centered at A with radius R that is 
encompassed by the entire authentication object 5. There are four different 
regions in the authentication object (marked PI through P4 in Fig. 6) where g(A) 
is uniformly computed. 

Fig. 6 is a graphical representation of areas P1-P4 that correspond to the 
four different regions in an example authentication object 600. For each point in a 
certain area Px, the perimeter containment function is computed using a closed 
analytical form distinct for that area using Equations 7-10 as discussed below. 

AREA PL This is the central area of the authentication object, where for any 
point Q c PI, the circle with radius R centered at Q does not intersect with any of 
the edges of the authentication object. The area is bounded by: R<x<L-R, 
R< y < L- R . 

Q(Q(x 9 y)) = 2Rx. (7) 

AREA P2. There are four different P2 regions, where a circle with radius R 
centered at any point 0cP2 intersects twice with exactly one edge of the 
authentication object. For brevity, consideration is give only for the following one: 
R<x<L-R, 0<y<R. Equations for other three regions can be symmetrically 
computed. 
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Q(Q(x,y)) = R 



;r + 2arcsin 


mi 







• (8) 



AREA P3. There are four different P3 regions, where a circle with radius R 
centered at any point Q c P3 intersects twice with two different edges of the 
authentication object. Consideration is give only for the following one: 0<x<R, 
0<y<R, x 2 +y 2 >R 2 . 



Q(Q(x,y)) = 2R 
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n - arccos 




- arccos 













(9) 



Area P4. There are four different P4 regions, where a circle with radius R 
centered at any point gcP4 intersects once with two edges of the COA. 
Consideration is give only for the following one: x 2 +y 2 < R 2 . 



Q(Q(x,y)) = R 



~n . 1 






'A 




— +arcsin 




+ arcsin| 






.2 v 


.R) 




,R) 





(10) 



In all Equations 8-10, only the return values of functions arcsin(-) and 
arccosQ that are within {0,^/2} are considered. 

In the second step, the actual <p(\,Q(x 9 y)) is computed based on the fact that 
an illuminated endpoint A of a fiber / = {A,B} is at position A = Q(x,y) only if B 
is located on the part(s) of the circle C{Q,R) centered at Q(x,y) with a diameter 
R and contained by 5, . 
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Lemma 3. Dependence of <p(i,Q(x,y)) from Q(Q{x y y)). Using function 
Q(Q(x,y))> pdf (p(UQ(x 9 y)) is computed using the following integral: 



<p(i,Q(x,y))= f — • (11) 



where 9 browses the perimeter of C(Q y R)aS i and a is a constant such 

that: 



JJ <p(i,Q(x,y))dxdy = \. (12) 



A point QaS-S i can be illuminated only due to a fiber / = {0, B) , such 
that BaS r This implicates that 5 is located somewhere on the perimeter of the 
circle C(Q 9 R) contained by S r For a given fiber / = {A 9 B} , the probability that ,4 
lands on a specific infinitesimally small arc of length dl c 5 , is equal to dl/g(B), 
Hence: 



^/ I fi) = area(5-^r 1 j g q , rv1/ >( 13 ) 



where function area(S-S,) computes the area under 5-5,-. Thus, the pdf 
<p(l, Q(x, y)) at a point QczS-S l is proportional to the integral of the inverse of the 
value of e(-) over C(Q 9 R) c 5, . 

Figure 7 is a graphical representation of the nineteen different regions on an 
example authentication object 700 that have distinct analytical formulae as a 
solution to the integral quantified in Equation 11. For brevity, <p(l 9 Q(x,y)) is 
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approximately solved using a simple numerical computation. The results is 
illustrated in Fig. 8 

Fig. 8 is a graph of an example probability density function for a square 
authentication object with parameters L = 64 and R = 28 sampled at unit points. 
Fig. 8 shows that the likelihood that an endpoint of a fiber lands on a certain small 
area P<zS-S x varies significantly depending on the particular position of P 
within S-S { . By using the information about the variance of <p(i,Q(x,y)) 
throughout S-S n the point-subset compression algorithms can be significantly 
improved, as presented in Section IV. Manufacturing authentication object such 
that <p(i,Q(x,y)) = const, over the entire area S-S n is a non-trivial task, probably 
as difficult as forging an original authentication object. 



Area 


Bounds 


V(},Q(x,y)) 


TO 


0<x<L/2-R,0<y<L/2-R 


0 


Tl 


x 2 + (y - LI2f < R 2 , 0 < x < LI2 - R , 
LI2-R<y<LI2 


R [arcsin (f ) + arccos (-^)] 


T2 


x 2 +(y- LIT) 2 > R 2 , 0< x< LI2- R, 
LI2-R<y<LI2 


2i?arccos( i/2 fi - J ') 




x 2 +(y-L/2) 2 >R 2 , 


2R [arccos ( u2 ' y ) + arccos ( Ln ~ x )] 


T3 


(x-L/2) 2 + y 2 >R 2 , 




(x-L/2) 2 +(y-L/2) 2 >R 2 


T4 


x 2 +(y-L/2) 2 <R 2 , 
(x-L/2) 2 +y 2 <R 2 , 
(x-L/2) 2 +(y-L/2) 2 >R 2 


R [arcsin (j) + arcsin (-£)J 
R [arccos (^) + arccos (^*)] + 




x 2 +(y-L/2) 2 <R 2 , 


R [f + arcsin (-f) + arcsin J 


T5 


(x-L/2) 2 +y 2 <R 2 , 
(x-L/2) 2 +(y-L/2) 2 <R 2 


T6 


x 2 +(y-L/2) 2 <R 2 , 


R [arcsin (-f) + arccos (-^)] + 


(x-L/2) 2 +y 2 >R 2 , 


27? arccos (^) 
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(x-L/2) 2 +(y-L/2) 2 >R\ 

LI I — R <X< LIZ 




T7 


x 2 +(y-L/2) 2 <R\ 
(x-L/2) 2 +y 2 >R 2 , 
(x-L/2) 2 +(v-L/2) 2 <R 2 


R [f + arcsin ) + arccos 


T8 


x 2 +ty-Z/2) 2 >i? 2 , 
(x-I/2) 2 + />i? 2 , 
(x-X/2) 2 +(^-I/2) 2 <^ 2 


[f + arccos (-^) + arccos (^j] 



Table 1. 



B. Illumination Ratio of Fiber End-Points 

Definition 3. Illumination Ratio of Fiber End-Points. For an 

authentication object (L,R,K) and its illuminated region S n the illumination ratio 
X is defined as a probability that a fiber / = {A,B} has landed such that one of its 
end-points is in B c S - S, conditioned on the fact that the other end-point is in 

X = Pr[5 c S - 5, | / = {A, B} y A<zS,l (1 4) 

Definition 4. Possibly Illuminated Arc. For any point AaS n a function 
i//(i,A(x,y)) is defined that measures the length of the part of the perimeter of 
C(A,R) contained by S-S,.. 

Figure 9 is a graphical representation of the areas T0-T8, where 
y/(i,Q(x y y)) is computed using distinct closed analytical forms. y(i,Q(x 9 y)) is 
analytically computed based on the analysis of the events (/-//) from Section III-A. 
Similarly to Section III-A, only in the case when region 5, is lit up is computed. 
There are nine different regions in the COA (marked TO through T8 in Fig. 9) 
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where y/(\,Q) is computed uniformly. The analytical closed forms for i//(\,Q) 
depending on the location of Q within 5, are given in Table 1 . 

Lemma 4. Dependence of y(l,Q(x y y)), g(Q(x,y)) 9 and X. The 
illumination ratio defined as in Def.3, can be computed as follows: 

X = f d5) 

A circle centered at a point AczS with radius R is denoted as C(A,R) . For 
each point Q<zS n the likelihood that the other end-point B of a fiber / = {Q, B} 
lands within S-S n equals the ratio of lengths of parts of the perimeter of C(Q,R) 
contained by S-S i and S respectively. By integrating this ratio over all points 
within S n Equation 15 is obtained. 

Given an authentication object (L,R,K), using X , computed by numerically 
approximating Equation 15 and the closed forms for y/(\Q) from Table 1, one can 
compute the expected number of illuminated points in S-S x when S x is 
illuminated as AK/2. For example, for an authentication object (64,28,100) the 
resulting X * 0.74 , which means that on the average, the number of illuminated 
endpoints in case S, is illuminated, is about 0.74 • 50 = 37 . 

IV. Compression of a Point-Subset in a CPA 

The goal of the certificate of authenticity system is to ensure that the task of 
manufacturing (i.e. forging) a specific authentication object instance as difficult as 
possible. This goal is quantified as a demand for recording the positions of as 
many as possible fibers of the authentication object. In the example compression 
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algorithm, the number of regions of authentication object equals four; hence, for 
each region S i9 a quarter n M /4 of bits in the signed message m is dedicated to 
storing as many as possible fiber end-points illuminated in S-S t once light is shed 
on S i . Note that in general, not all illuminated points need to be stored; only the 
largest subset of these points that can be encoded using n M /4 bits. 

In this section, a mechanism is described, which is configured to encode the 
distance between two illuminated points in an authentication object. The 
mechanism is based on arithmetic coding. Next, the problem of compressing as 
many as possible fiber endpoints using a constant number of bits is formalized. 
Finally, the discussion will show that this problem is NP-complete and a 
constructive heuristic as a sub-optimal solution is presented. 

A. Encoding Point-to-Point Vectors 

In this subsection, how a vector defined by its starting and ending point is 
encoded using a near-minimal number of bits is described. An additional 
constraint is that the points in the considered area occur according to a given pdf. 

1) Arithmetic coding: 

An arithmetic coder (AC) converts an input stream of arbitrary length into a 
single rational number within [0,1}. The principal strength of AC is that it can 
compress arbitrarily close to the entropy. The discussion below shows how a word 
''aba" is encoded given an alphabet with an unknown pdf of symbol occurrence. 

Fig. 10 is a graphical representation of an example of how an arithmetic 
coder encodes the string "aba" is encoded given an alphabet L = {a,b} with an 
unknown pdf of symbol occurrence. The example is illustrated in Fig. 10. 
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Initially, the range of the AC is reset to [0,1} and each symbol in L is given an 
equal likelihood of occurrence Pr|>] = Vx[b] = 1/2 . Thus, the AC divides its range 
into two subranges [0,0.5} and [0.5,1}, each representing "6" and "a" respectively. 
Symbol a is encoded by constraining the range of the AC to the range that 
corresponds to this symbol, i.e., [0.5,1} . In addition, the AC updates the counter for 
the occurrence of symbol V and recomputes Pr[a] = 2/3 and Pr[b] = 1/3 . In the 
next iteration, according to the updated Pr[a],Pr[6], the AC divides its range into 
[0.5,0.6667} and [0.6667,1}, each representing n b n and V respectively. When "b" 
arrives next, the AC reduces its range to the corresponding [0.5,0.6667}, updates 
Pr[a] = Pr[b] = 2/4 , and divides the new range into [0.5,0.5833} and 
[0.5833,0.6667}, each representing "6" and V respectively. Since the final symbol 
is V, the AC encodes this symbol by choosing any number within 
[0.5833,0.6667} as an output. By choosing a number which encodes with the 
fewest number of bits (digits in our example), 0.6, the AC creates its final output. 
The decoder understands the message length either explicitly in the header of the 
compressed message or via a special "end-of-file" symbol. 

The AC iteratively reduces its operating range up to a point when its range 
is such that the leading digit of the high and low bound are equal. Then, the 
leading digit can be transmitted. This process, called renormalization, enables 
compression of files of any length on limited precision arithmetic units. 
Performance improvements of classic AC focus on: using precomputed 
approximations of arithmetic calculations, replacing division and multiplication 
with shifting and addition. 

An AC encodes a sequence of incoming symbols s = s v s 29 ... using a 
number of bits equal to source's entropy, H(s) = -Y Pr[s, ]log 2 (Pr [$,.]) . Hence, for 
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a semi-infinite stream of independent and identically distributed symbols, on a 
computer with infinite precision arithmetic, the AC is an optimal, entropy coder. 

2. Arithmetic Encoding of a Min-Distance Point-to-Point Vector 
Given an authentication object (L,R,K), it is assumed that light is shed on 
one of its quadrants, S r Next, we assume that the authentication object is 
partitioned into a grid of LxL unit squares U = u{ij),i = l...L 9 j = 1...Z , where each 
u(ij) covers the square area within xe{i-\i\y^{j-\J]. Unit areas model the 
pixels of the digital scan of an authentication object. The resolution of the scan 
equals LxL . Next, a principal point of a unit u(x,y) is defined as a point Q u with 
coordinates (x,y). 

Lemma 5. Unit Illumination Likelihood. Assuming there are k fibers 
with exactly one end-point in S-S n the probability that any unit area 
u{x,y) aS-Sj contains at least one illuminated fiber end-point equals: 

r(u) = Pr[(3/ = {A y B} eF)A<=u,Bcz S f ] (16) 
= l-[l-£(/,*0r 

And 

t(u) = Pr[(3/ = {A, B} € F)A c w, B c S g ] = 1 - Pr[(^3c e F)A c 
w, B c SJ = 1 - (1 - Pr[^ cw,i?cS,.|/ = {4 5}])' 

From Equation 7, Equation 16 is concluded. In Section III-B, the 
expectation for k is E[/c] = AK/2 is computed. 
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Problem 1. Dual Vector Encoding for CO A. Conditioned on the fact that 
unit u^S-S; contains an illuminated fiber end-point, a goal is to encode using as 
few as possible bits the locations of two other illuminated units v, and v 2 relative 
to unit u . An additional constraint is that among all illuminated units in S-S, , the 
principal points of v, and v 2 , Q { and Q 2 respectively, are located at two shortest 
distances in Euclidean sense from the principal point of u , Q u . A priority rule is 
set so that if a set of units V,\ V |> 1 are at the same distance with respect to u , the 
one with the highest likelihood of illumination: argmax vcK (r(v)) is encoded first. 



Set U as a list of all unit areas in S - S, - u . 

List of all marked units, M(u) , is set to M(u) = 0 . 

do 

Find all unit areas V = argmin vct/ 1| Q v -Q u \\. 
do 

Find unit area w = argmax veI/ £(1, v) . 
Set AC range for w to y(w,u) (see Eqns.17,18). 
Set of nodes ordered before w is M w {u) = M(u) . 
M(u) = M(u)vw, V = V-w, U = U-w. 
while V * 0 
while U * 0 

Table 2 . Algorithm A 1 . 

The encoding of a unit-to-unit vector is done using an AC, which uses 
algorithm Al to assign a corresponding range on the encoding interval for each 
encoding symbol, i.e. each unit vczS-S j different from the source unit u. For 
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each unit v, algorithm Al assigns a range equal to the probability that v is one of 
the two closest illuminated units with respect to the source unit u . This probability 
is denoted as p(v \ u) . In the case when k » 1 units are expected to illuminate in 
S-S n p(v | u) can be computed as follows: 

p(v| W ) = r(v) [7 [l-*("0]+ (17) 

wcM v (u) 

x t ^ t w n 

where the set of units M v (w) is computed as in algorithm Al. For each unit 
v 5 algorithm Al assigns a range y{v y u) used by the AC to encode v conditioned 
on the fact that u has already been encoded. This range is equal to: 

rtrf.-JpM- (.8) 

X, p( w \ u ) 

Thus, the two nearest illuminated units are encoded by construction near- 
optimally (e.g. the encoding is optimal on a processor with infinite precision 
arithmetic) because a sequence of symbols is encoded using a number of bits 
approximately equal to the entropy of the source: 

H(u) = - X y(v 9 u)log 2 [y(v 9 u)]. (19) 



Dual vector encoding is used as a primitive to encode a subset of points in 
the overall compression algorithm presented in the Section IV-B. Although the 
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encoding algorithm is near-optimal for the set of assumptions presented in Section 
IV-A.2, the same set of constraints is not valid for the overall compression goal, 
hence, the inherent optimality of using arithmetic coding with range allocation via 
Al is discussed in Section IV-B. 

B. Compression of a Point-Subset 

The optimization problem of compressing the positions of as many as 
possible illuminated unit areas using a fixed number of bits is modeled. Consider 
the following directed complete graph with weighted edges. For each illuminated 
unit u <zS-S n a node n u is created. A directed edge e(u,v) from node n u to node 
n v is weighted with the optimal length of the codeword that encodes the vector 
that points to v, co(e(u y v)) = -\og 2 [y(v,u)] as in Equation 19, conditioned on the 
fact that u is already encoded. Lets denote this graph as G(N,E,Q) , where N , E, 
and Q represent the set of nodes, directed edges, and corresponding weights 
respectively. 

Problem 2. Compression of a Point-Subset (CPS). 

INSTANCE: Directed, complete, and weighted graph G(N,E) with a non- 
negative vertex function Q : E -» R , positive integer l min e Z + , positive real number 
Ae/T. 

Question: Is there a subset of l>l min nodes N* c:N with a path through 
them, i.e. a permutation < n n{xv „.,n n{() >, such that the sum of weights along the 
path is: 
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/-I 

Z^ e K(/) ) <(i>i))) <A - ( 2 °) 
1=1 



Problem 2 models the optimization problem of compressing as many as 
possible (i.e. /) fiber end-points in an authentication object using a fixed storage 
(i.e. A). This problem is NP-complete as it can be shown that the ASYMMETRIC 
TRAVELING SALESMAN PROBLEM, ATSP, can be reduced to CPS, ATSP CPS, via 
binary search for A. In the remainder of this section, an efficient constructive 
heuristic A2 is presented that aims at solving this problem. The premier design 
requirement for the heuristic is fast run-time performance because each certificate 
of authenticity must be signed separately at a manufacturing line. 

First, the distance measure between two nodes in N does not obey the 
triangle inequality for all nodes. Intuitively, the encoding procedure from Section 
IV-A encodes vectors in S-S i using a number of bits proportional to the 
likelihood that a certain unit is one of the two closest illuminated points. Hence, 
units farther from the source node are encoded with significantly longer 
codewords as they are unlikely to occur, which renders shortcuts to these nodes in 
the solution route highly undesirable. 

Theorem 2. The distance measure a> does not universally obey the triangle 
inequality: 

(v(e(u,v)) + a)(e(v,w)>a>(u,w). 
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For simplicity, assume that (Vw <zS-S i )t = r(w) = const. , then w, v, and w 
are positioned along the same line in S-S r The Euclidean distances ||w-v||, 
|| v — w ||, and || w — w || are a, b, and a + b respectively. The triangle inequality 
implies that f(u, v, w) = log 2 [y(w, u)] - log 2 [y(y y u)] - log 2 [y(w, v)] > 0 . From 
Equations 17 and 18, the following can be computed: 

f(a,b,t) = 2atorlog 2 (l-0 + log 27 ^ — 

1-' (21) 

(1-Q 2 + Q 2 +b 2 )nt(\-t) + a*b A n 2 t 2 
82 l + [(a + 6) 2 *-l> 



and show that for abnt^>\, the triangle inequality does not hold, i.e., 
fiflM <0. 

The best approximation algorithm for ATSP where the triangle inequality 
holds, yields solutions at most log(\N\) times worse than the optimal. 
Alternatively, to the best knowledge of the authors, approximation algorithms for 
ATSP variants where the triangle inequality does not hold, have not been 
developed. In the general case, when the distance metric function co is arbitrary, 
the ATSP problem is NPO-complete, i.e. there is no good approximation algorithm 
unless P = NP . On the other hand, approximation algorithms for variants of TSP 
which satisfy a scaled version of the triangle inequality: 
ju(o)(e(u,v)) + (D(e(v y w)))>a(u,w),ju>l can be solved with a worst case result 
(3^ + l)/i/2 times worse than the optimal solution. Distance metric co does not 
follow this constraint, hence, a heuristic for Problem 2 is developed without a 
worst-case guarantee. In addition, we aim for as good as possible performance of 
the heuristic on the average, rather than a worst-case guarantee. Authentication 
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object instance which cannot be compressed satisfactorily can be disposed. 
Likelihood of this event should be small, less than one in a million. 



Constructive phase 

Set of edges E' = {argmin e (ty(fl,&),oKM)) I (Va,6) c N) . 
Set of subpaths P is selected as a set of shortest K edges 

in E' s.t. A sorted by co. 

Denote the weight of the shortest edge in E as co min . 
for each path p i a P 9 i = 1.J£-1 
for each path p j c P, y = / + 1 ..K 
if p i and /? y have a common source-destination node 
Concatenate p i and p } as /?, = p i \ Pj . 
Remove Pj from P . 
Denote source and destination nodes of a path p i c P 

as s i and respectively, 
for each path p i cP,i = l.I 

Find all shortest paths q(ij) from s, to any * / . 
while | P |< maxP 

/ \ * x 1 o)(e) 

\PnPj) ~ ^% min q{iJ) Zje<z{ Pi \q(U)\Pj} \(PMiJ)\Pj}\ ' 

Concatenate p i = p i \ q(ij) \ p } and remove pj from P . 
Find exhaustively a concatenation p h = p x | ...| /? maxP s.t. 
M (A){Zec„ A ^( e ) < A and | pj is maximal } . 
reroute( p h ) 

reroute( p h ) 

Pbest = Ph 
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for each edge e(s n d,) c p h ,i = 1,...,| p h | -1 
for each node pair ( d i , Sj)<z p h J = / + 2,...,| p h |-1 . 
Find shortest path q(ij) via nodes in N-p h . 
if path \ q(ij) \ e y ,...,e |PAl has a better metric 

M(p h ) then /? bcst 

Greedy Iterative Improvement 
repeat / times 
Contract p h so that ^ e<:ip <o(e) < pA 3 where p is a 
contraction factor, randomly chosen from p e {0.4,0.8} . 
Denote nodes n 0 and n { as the first and last node in p h . 
while Y co(e)<A 
Among edges that have n 0 or n t as destination or 
source respectively, find edge e with minimal weight. 
Concatenate e to p h . 
rereoute( /?,, ) 



Table 3. Algorithm A2. 



The rationale behind using the distance metric co from Section IV-A is 
based on an assumption that a good solution succeeds to traverse each node on its 
route via the two closest neighboring nodes. Hence, in the scope of Problem 2, the 
used metric is optimal only if the best solution found satisfies this property. If the 
final solution does not have this property, the optimality of encoding a single 
vector is dependent upon the distribution of weights of the edges in the solution. 
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The developed heuristic A2 has two stages: a constructive and an iterative 
improvement phase. The constructive phase follows a greedy heuristic which 
builds the initial solution. Initially, A2 identifies a set of dominating edges E' . For 
each pair of edges, e(w,v), e(v,w), between nodes w,v, A2 selects only the shorter 
of the two and stores it in E' . Next, a set P of initial subpaths is created by 
sorting the edges in E' and selecting the top K shortest edges whose weights sum 
up as close as possible to A . The first and last node in a path p i are denoted as s i 
and d i respectively. In the next step, A2 concatenates subpaths from P iteratively 
in the increasing order of their weights: at any point, the pair of shortest subpaths 
p n Pj which have a common source-destination node d { = s J9 is concatenated until 
all possible connections are established. In the unlikely case when |P|=1, the 
optimal solution is found and the search is stopped. Else, all single-edge subpaths 
are removed from P . Then, using Dijkstra's algorithm, A2 finds all shortest paths 
between each destination tail d i of each subpath p i in P and source tails of all 
other subpaths, s J$ i = l...\P\ 9 i* j . The shortest paths are routed via nodes which 
are not in P . The shortest path is denoted between s i and d j as q(i 9 j). In another 
greedy step, A2 sorts all concatenations p,\q(i,j)\Pj according to their 
weight/node count ratio. In increasing order of this metric, A2 continues 
concatenating subpaths in P via nodes in N-P until the total number of 
remaining paths is IP^maxP (usually maxP = 9). The remaining paths are 
concatenated using an exact algorithm which finds a path p h with the optimal 
metric: maximal cardinality and a sum of weights smaller than A . In the final step, 
a rerouting procedure browses all the nodes in P , and using the Dijkstra algorithm 
tries to find shortest paths to other nodes in P via the remaining nodes in E . The 
same procedure also tries to find a better ending tail than the one that exists in p h . 
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For each reroute, A2 checks whether the new reroute has a better metric than the 
current, best path p h . 

Figure 11 is an example of an instance of an authentication object 
(512,0.4-512,256) is shown with k = 88 nodes. A2 returned the path illustrated 
with bold lines. The patfi is such that its sum of weights is smaller than A = 512 . 
To document the path, 12.11 bits per point is used. 

In the iterative improvement phase, we repeat several rounds of the 
following loop. In the first step, A2 contracts the currently best found path p btst 
into p h , so that \p h \ is maximal and the sum of weights along p h is smaller than a 
fraction of pA. The contraction parameter p is randomly selected in each 
iteration within pe {0.4, 0.8}. Nodes n 0 and n, are denoted as the first and last 
node in p h . While the sum of weights in p h is smaller than A , among edges that 
have n 0 or n t as destination or source respectively, we find an edge e with 
minimal weight and concatenate it to p h . When the new candidate path p h is 
created, it is adopted as the best solution if its metric is better than the metric of 
the best path created so far. As a last step of the iterative improvement loop, A2 
performs the rerouting procedure previously described. 

In order to fit the run-time of A2 for a particular authentication object 
(L,R,K) class within one second, the improvement loop is repeated / = {100,10000} 
times. In general, the worst-time complexity of A2 is 0(\ N f log \N\) as multi- 
source shortest paths are computed via the Dijkstra algorithm. In an 
implementation that uses the Floyd- Warshall algorithm to compute all pairs 
shortest paths, the complexity of A2 can be reduced to OQNf). Although the 
graph is originally complete, by removing edges with high weights, we create a 



Lee & Hayes. PLLC 



32 



MS1-193WS 



2 
3 
4 
5 
6 
7 
8 
9 

10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 
22 
23 
24 
25 



sparse graph, where Johnson's algorithm for all-pairs shortest paths yields 
<9(| AM 2 log\N\ + \N\\E\). 

V. Empirical Evaluation 

The discussion in this section shows how authentication object (L,R,K) 
parameters impact the performance of the algorithm A.2. Figure 11 illustrates a 
solution to a single instance of the problem, an authentication object 
(512,0.4-512,256). The scanning grid to 1 = 512 scanning cells. The figure 
depicts the case when the lower left quadrant of the authentication object is 
illuminated. Graph G(N, E) , built using the corresponding illuminated fiber end- 
points, is illustrated with medium bold lines. Only the top ten shortest edges 
starting from each of the k = 88 nodes in the graph is shown. The resulting path 
shown in the figure using bold lines, consists of 41 nodes. The sum of weights 
along path's edges is smaller than the storage limit: A = 512 bits. The path is 
compressed using 12.11 bits per fiber end-point (b/fep). Storing the data without 
compression would require 41-18 = 738 bits, which results in a compression ratio 
of 0.61. The compression ratio is defined as a ratio of the size of the compressed 
message vs. the original message size. 

VI. A Design Objective for a CPA System 

A goal of the certificate of authenticity designer is to maximize the cost of 
forgery g f using a bounded manufacturing cost g m . Several parameters may 
impact g m . For brevity and simplicity, three parameters are discussed: 

the total length of fiber RK<<&, 

the scanning tolerance £ , and 
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the barcode storage A . 

System performance is optimized by limiting the number of trials available 
to the adversary for accurate positioning of a sufficient subset of the signed fiber 
end-points (Section VI-A) and by selecting the system parameters {R.,K.} so that 
expected forging cost g f {A2) is maximized (Section VI-B). 

A, Limiting the Number of Adversarial Trials 

Consider a compression scheme C which stores G out of the k 
illuminated fiber end-points in a A -limited storage. In general, when forging a 
certificate of authenticity, the adversary can use all k fibers to try to place at least 
GC, of them accurately at their corresponding locations. Cost of forging a 
certificate of authenticity greatly depends upon the number of available trials. 
Here, a technique is proposed which aims at reducing the number of adversarial 
trials, K T , by detecting anomalous distribution of fibers around the signed fiber 
end-points during verification. 



Issuing a COA Instance 

Scan for a set N of k points, illuminated when light is shed on S i . 
Using A bits, compress a subset PcJV, with G=\P\<k. 
Find a subset of units U <zS-S i9 such that 

(V«, € uyypj e P) min(|| w, - Pj ||) < e x . 
s 2 =\NnU\-G 9 K T =G + e 2 . 

Sign P y s 2 and the associated information (see Section 2). 
Verifying a COA Instance 
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Extract P,e 2 from signature. 

Find a subset of units U <zS-S n such that 

(V W/e C/)(V/7 y €/>)min(|| W/ - Py ||)< ffl . 
Scan for a set N' of k' points, illuminated when light is shed on S. . 
if | N'nt/ 1> K T then COA instance is invalid, 
elseif | N f n P \> GQ then COA instance is valid, 
else COA instance is invalid. 

Table 4. Algorithm A3 

The certificate of authenticity issuer and verifier repeat their parts of the 
algorithm A3 for each authentication object quadrant S r The issuer initially scans 
the authentication object instance and collects information about the set of points 
N which illuminate when S i is lit up. Next, using the available A bits, it 
compresses the largest subset P e N , | P |= G returned by A2. Then, A3 finds a 
subset U c S - S i ; , such that the Euclidean distance between each unit u i e U and 
its closest unit p. eP is at most e x . Subset U of units represents an s , - 
neighborhood of P . Then, the issuer counts the number K T of points in N that 
exist in U . Since, K T has to be greater than G to prevent false negatives, the 
issuer stores along with P , the difference e 2 =K T -G in the message m , which is 
later signed using the private key of the issuer (see Section II). Using the public 
key of the issuer, the verifier extracts from the attached signature the compressed 
point subset P and s 2 and recreates the corresponding e x -neighborhood, U . Then, 
the verifier scans the authentication object instance for the set of illuminated fibers 
N' when S i is lit up. It announces that the instance is authentic by checking that 
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the number of common points in U and N' is at most G + s 2 and that the number 
of common points in N' and P is at least G£ . 

By storing s 2 in the signature, the adversary is imposed to use at most 
K T = G + e 2 trials that position fibers in the s , -neighborhood of P . The adversary's 
goal is to place at least GC, fiber end-points from P accurately, hence, the 
adversary can afford G(l - Q + e 2 misplacements located in the s , -neighborhood 
of P during the forgery process. It is expected that each trial, targeting a point p n 
if unsuccessful, ends up in the ^-neighborhood of p r By increasing e } , the 
verifier can identify possible misplacements over a larger neighborhood; however, 
this also increases the expectation for s 2 - a value that the certificate of 
authenticity designer wants to keep as low as possible. 

Below, an empirical design methodology is shown which adopts a given 
s x = const., and then seeks to maximize the main objective g f (A2) from the 
perspective of several certificate of authenticity parameters. 

B. Designing a CPA System 

Problem 3. A Design Objective for a COA System. For a given 
compression algorithm A2, fixed RK<®, £ , £, 5 and A, find a cut {R„ K,} of the 
available fiber which maximizes: 

{K,KA = Kg { max^g f (A2,R,Kl (22) 

where g f is defined in Lemma 2. Note that the number of trials k in Eqn.2 
equals K T as presented in Subsection VI- A. Compression performance G in 
Equation 2 depends upon the efficacy of A2. 
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Figure 12 is a graphical representation of a certificate of authenticity design 
for optimized cost effectiveness. The abscissa quantifies fiber length R relative to 
L , while the ordinate shows the number of fibers K . The bar illustrates the log - 
cost of forgery log ]0 (g f (A2,R y K)) with a constraint limit A = 512 bits and a set of 
fixed parameters: £ = 0.9, e x = 8, andv = 0.8 . The figure also illustrates the quality 
of solutions obtained for all cuts of a fixed length fiber RK = Q> = 1001 . 

A simple empirical technique may be used that searches for the best fiber 
cut {R,,K,}. The search procedure is illustrated using Figure 12. The abscissa and 
the ordinate represent the values of R and K respectively. The bar denotes the 
expected log -cost of forging an certificate of authenticity instance, 
log X0 (g f (A2,RK)). The cost is given with respect to R and K, and for a fixed set 
of parameters: A = 512 5 C, =0.9, e x =8, and v = 0.8 . The diagram in Figure 12 was 
computed empirically. A2 is applied to 500 randomly generated certificate of 
authenticity (512,R,K) instances with each combination of 
R = {0.051, 0.10Z,.. .,0.451} and K = {80,96,... ,192,256,384,512, 768,1024} . The 
expected compression performance for each point in the remaining portion of the 
{#,£} -space was obtained by interpolating the empirical results. From Figure 12, 
the best fiber cut can be found in the neighborhood of K, «900 and R, «0.1Z. 
This result points to the fact that for the selected design environment, a cross- 
shaped certificate of authenticity is the best option. Note that careful selection of 
the fiber cut resulted in an order of magnitude improvement in the forgery cost 
with respect to a randomly selected point on RK = <S>. The empirical principles 
used in this example, can be applied to search for a near-optimal parameter set for 
different certificate of authenticity environments and manufacturing constraints. 
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Fig. 13 illustrates an example computing device 1300 within which the 
described systems and methods can be either fully or partially implemented. 
Computing device 1300 is only one example of a computing system and is not 
intended to suggest any limitation as to the scope of the use or functionality of the 
invention. 

Computing device 1300 can be implemented with numerous other general 
purpose or special purpose computing system environments or configurations. 
Examples of well known computing systems, environments, and/or configurations 
that may be suitable for use include, but are not limited to, personal computers, 
server computers, thin clients, thick clients, hand-held or laptop devices, 
multiprocessor systems, microprocessor-based systems, set top boxes, 
programmable consumer electronics, network PCs, minicomputers, mainframe 
computers, gaming consoles, distributed computing environments that include any 
of the above systems or devices, and the like. 

The components of computing device 1300 can include, but are not limited 
to, processor 1302 (e.g., any of microprocessors, controllers, and the like), system 
memory 1304, input devices 1306, output devices 1308, and network devices 
1310. 

Computing device 1300 typically includes a variety of computer-readable 
media. Such media can be any available media that is accessible by computing 
device 1300 and includes both volatile and non-volatile media, removable and 
non-removable media. System memory 1304 includes computer-readable media 
in the form of volatile memory, such as random access memory (RAM), and/or 
non-volatile memory, such as read only memory (ROM). A basic input/output 
system (BIOS), containing the basic routines that help to transfer information 
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between elements within computing device 1300, such as during start-up, is stored 
in system memory 1304. System memory 1304 typically contains data and/or 
program modules that are immediately accessible to and/or presently operated on 
by processor 1302. 

System memory 1304 can also include other removable/non-removable, 
volatile/non-volatile computer storage media. By way of example, a hard disk 
drive may be included for reading from and writing to a non-removable, non- 
volatile magnetic media; a magnetic disk drive may be included for reading from 
and writing to a removable, non-volatile magnetic disk (e.g., a "floppy disk"); and 
an optical disk drive may be included for reading from and/or writing to a 
removable, non-volatile optical disk such as a CD-ROM, DVD, or any other type 
of optical media. 

The disk drives and their associated computer-readable media provide 
non-volatile storage of computer-readable instructions, data structures, program 
modules, and other data for computing device 1300. It is to be appreciated that 
other types of computer-readable media which can store data that is accessible by 
computing device 1300, such as magnetic cassettes or other magnetic storage 
devices, flash memory cards, CD-ROM, digital versatile disks (DVD) or other 
optical storage, random access memories (RAM), read only memories (ROM), 
electrically erasable programmable read-only memory (EEPROM), and the like, 
can also be utilized to implement exemplary computing device 1300. Any number 
of program modules can be stored in system memory 1304, including by way of 
example, an operating system 1320, application programs 1328, and data 1332. 

Computing device 1300 can include a variety of computer-readable media 
identified as communication media. Communication media typically embodies 
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computer-readable instructions, data structures, program modules, or other data in 
a modulated data signal such as a carrier wave or other transport mechanism and 
includes any information delivery media. The term "modulated data signal" refers 
to a signal that has one or more of its characteristics set or changed in such a 
manner as to encode information in the signal. By way of example, and not 
limitation, communication media includes wired media such as a wired network or 
direct-wired connection, and wireless media such as acoustic, RF, infrared, and 
other wireless media. Combinations of any of the above are also included within 
the scope of computer-readable media. 

A user can enter commands and information into computing device 1300 
via input devices 1306 such as a keyboard and a pointing device (e.g., a "mouse"). 
Other input devices 1306 may include a microphone, joystick, game pad, 
controller, satellite dish, serial port, scanner, touch screen, touch pads, key pads, 
and/or the like. Output devices 1308 may include a CRT monitor, LCD screen, 
speakers, printers, and the like. 

Computing device 1300 may include network devices 1310 for connecting 
to computer networks, such as local area network (LAN), wide area network 
(WAN), and the like. 

Although the invention has been described in language specific to structural 
features and/or methodological steps, it is to be understood that the invention 
defined in the appended claims is not necessarily limited to the specific features or 
steps described. Rather, the specific features and steps are disclosed as preferred 
forms of implementing the claimed invention. 
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